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I. INTRODUCTION 


Recognizing tne relationsnip between policies and 
mechanisms has been a problem in tne specification and 
desien of many computer systems. Wnat is needed is a simple 
methodology for assessing the suitability of a protecticn 
mechanism to enforce 2 non-discretionary security policy. 
Such a methodology, dased upon tne entity~relationship model 
and designed with validation or security enforcement as its 
primary obdjective, is presented. 

Defined as the assignment technique, thiS mathematically 
oriented metnodology establisnes a relationsnip between tne 
information sensitivities of the systems entities 
(partitioned according to tne policy constraints), to 
dominance domains (inherently established by a mechanism). 
The assignment technique provides a means for mecnanism 
sufficiency validation, since tne resuits of tne assignment 
Gcanmpe Cvdaliuated to determine whetner tne constraints of tne 
policy are met. 

Mechanisms are defined aS procedural Specifications that 
prevent the occurrence of operations. Protection mecnanisms, 
then control a subject’s access to an object, by adhering to 
some procedural specification of access rules. Policies, 


however, are generally Stated in a noOu~procedural form. This 





meaas tO 2a problem in trensidtinge policies into mecnanisms, 
and in veritying the accuracy of this translation. 

Only non-discretionary security policies are discussed 
in detail. Such policies, however, are extremely important 
wnen dealing with protection of business information as well 
as National Security. Computer systems desiened to provide 
Command, Control and Communications must rely upon eftective 
non~discretionary security if they are to be of any value to 
National Defense [1]. Compromise and subversion policies [2] 
precisely define the requirements, but the suitability of a 
protection meéecnanism to meet tnese requirements is not 
always apparent. A theoretical foundation from which this 
Suitability may be Simply and readily derived is 


established. 


A. BACKGROUND 

Non-discretionary policies for tne security of sensitive 
information have existed throuenout the annals of history. 
The basis of these policies lies ina subdject (i.e., an 
active entity) being prohibited modification or observation 
of an object (i.e., a repository for information or inactive 
entity) based upon the subject’s membership in a specified 
group. This eroupine is established external to tine system 
in which it will be used. 

The first computer systems dealt with the problem of 


security by establishing physical protection perimeters. 





Walls, locks and marines With “=rrhles provided the 
environment necessary for system security. Tnis was an 
acceptable procedure because there were relatively few users 
of tne systen and eacn user was trusted not to violate tne 
security policies. Security was an issue external to the 
Computer itself. 

However, as computer tecnnology became more 
sophisticated, user expectations increased. Policy-maxers 
established security policies and expected their macnines to 
adhere to them without exception. The security perimeters 
that had been established external to tne computer, were now 
to be established internally. 

mpesoeren = GO two “~rields of research. One group, tne 
experimentalists, attempted to design ingeniously contrived 
mecnanisms with little or no concern for tne policies whicn 
their mechanism would support. Mathematicians, on the other 
Bands Set about tne task of modeling policies in a fasnion 
that would establisn a foundation for the procedural 
Specification of protection mechanisms. The relationship 
between these models and the mechanisms was not always 
clear. 

Motes peeded, dnd what is presented nere, is a simple, 
complete and consistent means of establishing that a 
mecnanism actually enforces the policy-makers” 
specifications. This is done by first fivine the 


pouecy-~Nak@r da tool to precisely describe his policy and 
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then giving the systems designers and analysts a technique 
to evaluate the sufficiency of their mechanism to Support 
Pos policy. 

A careful examination of the fundamental nature of 
non~-discretionary security DOETCLES and Drobect10n 
mechanisms is made. This examination is based largely upon 
the findines of research associated with security Kernel 
tecnnology [3]. Tne results of this examination snow wnat it 
is about mechanisms that actually provides tne protection 
and what protection is actually provided. In so doing, a 
theoretical mathematical foundation is estadlisned from 
which the science of secure computation may proceed to mest 
meemreagi.arements of the policy-maker in a simple, elegant 


and efficient manner. 


B. RELATED WORK 

Research in establishing the suitability of protection 
mecnana sms to meet non—discretionary security poiicies is 
practically non-existent. Protection mechanisms are usually 
peesented in an informal manner with implementation derails 
dominating tne discussion [4}. Policies, on tne other hand, 
are generated by persons wno rarely give consideration to 
the implementation of these policies in a computer system. 
Tne disparity between tnese two groups nas led to little 


research in methodologies for bridging the broad gap between 
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Security policies and protection mecnanisms, and even less 
results. 

The notion of aomains originated witn Dennis and Van 
Horn [5} and tneir concept of spneres of protection. Tnis 
idea was improved upon by Lampson [6,7] wno coined the term 
“domain and noted tne usefuiness of domains as a conceptual 
tool for understanding protection mechanisms. Schroeder [§] 
made use of these ideas to design a protection mechanism 
that would allow mutually suspicious subsystems to cooperate 
in a Single computation. 

Popex [9] modeled tne nature of access control witn nis 
restriction eraphs. Bell and LaPadula [12] made a 
menisci cant contridution when they identified a matnematical 
framework within which to deal with tne problems of secure 
computer systems. Tneir work was based upon general systens 
theory and finite state automata. Furtekx [11] estatlisned a 
Sinilar, less Known, matnematical framework based upon tae 
theory of constraints. Tne Bell and lLaPadula work was 
followed by Walters [(12] development of a lattice model for 
security policies. This model was refined and later 
popularized by Denning [{13] such that today, nearly all 
practical policies nave been recognized as lattice policies. 

Saltzer and Schroeder [14] presented a tutorial on the 
basic principles of protection in computer systems. Conen 
[15], however, provides a tar more rigorous discussion of 


protection mecnanisms wnile Gronns” {16] researcn provides 
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considerable insignt into a number of details regarding 
access relations. 

Mucn of this early work was directed towards tne 
solution of the computer security problem in National 
Defense [12,17]. As sucn, the autnors rarely discused tne 
motivation for their efforts. It was Schell [1], however, 
who dramatically described tne inportance of tne computer 
security in a modern electronic environment. Recognition of 
tne siegnificance of this problem motivated tne researcn 


reported here. 


C. ORGANIZATION 

The relationsnip between security policies and 
protection mechanisms is not obvious. In order t0 explore 
this relationship, one must clarify tne meaning of security 
and protection. Only by methodically examininz each and 
every pertinent principle can one nope to establish a 
mathematical framework which unifies tne security policy 
issues with tne protection mecnanisns’ design. 

The mature of non-discretionary security policies is 
considered first. Tne meaning of access relations 1s 
explored and commonly known policies are discussed. 

Next, a formalized notion of domains is presented. A 
succinct mathematical definition of a domain is offered. The 


notion of an (access-mode) domain and dominance domains are 
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moeroduced as tools for precisely characterizing protection 
mechanisms. 

section Our diseusses the tneoretical basis tor 
assignment. The assignment tecnnique is explained and a 
means for simplifying the tne number of assignment scnemes 
needed to establish the insufficiency of a mechanism to 
mumport some particular policy is derived. 

Section five presents detailed applications of simple 
asSignment showilne the usefulness of the asSienment 
Meconaaque particularly witn respect to m@€cnanism sufficiency 
validation. Section five dispells mucn of the mystery tnat 
surrounds tne ad hoc design of secure computer <¢ystems. 

Every attempt has been made to provide the reader with a 
clear underStandineg of the principles of the assignment 
technique. Readers are encouraged to question these findings 
and indeed, the fundamentals upon which they are based. Only 
in so doing, can ore nope to egrasp tne meaning of the 
principles presented and the utility of the assignment 
technique in establishing a foundation for secure computer 


systems. 
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II. NON-DISCRETIONARY SECURITY POLICIES 


times Section provides a detailed examination as to tne 
nature of non-discretionary security policies after first 
mereussing, SCveral pertinent concepts concerning policies in 
general. Some of tne issues presented may appear to confuse 
policy issues with mnecnanisn issues. POpeiuliy, this 
confusion will be resolved as the reacer opntains a thorough 
Meeerstanding of tne inherently isomorphic nature of 
policies and mechanisms, as substantiated in tne ensuing 


discussion. 


A. THE NATURE OF A POLICY 

The fundamental nature otf a policy has not been clearly 
Seaatuweshed in the Computer Science field. For example, 
Wulf, Conen, Jones and otners Suerest that a policy is a 
mecnanism wnen discussing HYDRA [18]. Jones subsequently 
aqiscusses how protection mechanisms can be used tO enforce 
security policies [19]. On the otner nand, Conen derines a 
policy as a problem in his doctoral dissertation [15] but, 
enumerates several protection problems associated with one 
security policy [15]. Such confusion among such a closely 
related eroup of computer Scientists Specializing in 
operating system security is by no means an isolated 


Situation. 
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Snyder [28] makes note of tnis problem stating tnat 
capability-based protection systems designers rarely 
consider the security policies their system may implement. 
Throughout the computer security literature, one may observe 
that the nature of a policy and how it relates to the 
mmomection issues discussed, is often ignored. Pernaps this 
is because the nature or security policies themselves, and 
the suitability of protection méecnanisms to meet these 
BommeteSeiS not clearly understood. it is the intent of this 
author to address this problem. In order to do s0, one 
begeins by formalizineg tne notion ofr a policy. 

A powcy iS 8:a@ specification of behavior. Such a 
specification constrains the activities within a system by 
establisning a ay Ss cae! On between acceptable and 
unacceptable behavior for some set of classes estadlisned py 
the policy. When dealing with the security issue, tne 
Classes (i.e., access classes) are simply labels which tne 
policy uses to distinguish between vroups of system 
mueeesS. FO 4&2 security policy specifies a set or access 
Classes and identifies the acceptable behavior between then. 

mensomcenent of policies may be realized in a numoer of 
ways. In general, any means of security envorcement internal 
nomeerore Computer, mey be considered to be @ protection 
mechanism. As such, implementation details are generally 


{jenored. 
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Tne term behavior generally implies tnat an active 
entity is dealing with Some other entity or entities. So one 
apes stinguish between two types of entities with respect 
to security policy specifications. One type is those 
entities wnose venavior is being controlled. Tnese are tne 
active entities within the system and are referred to as 
“subjects . The otner type is those witn wnicn tne subdject 
mage ractS Guring execution that are not subjects, but rather 
are Simply repositories of information [12]. These are tne 
passive entities witnin the system referred to as objects. 

Process 15 chdracterized by an address space and 4n 
execution point or state of its virtual processor. It is 
maportant to note tme distinction between processes and 
subjects as these two terms are often incorrectly considered 
to be Synonyomous. A Subject ISS 1Mmplemented jas a 
process-donain pair (6,7,8]. One must take care not to 
confuse tnese two terms. 

mutem = confusion has been associated with the issue of 
policy enforcement. A policy may be completely enforced ira 
System, partially enforced in a system or not enforced at 
all. Partial enforcement applies only to complex policies 
for wnich sub=-policies can be formulated and enforced. 
Partial enforcement does not imply enforcement of a policy 
only under certain conditions, or at certain times, whnicn 


is, in fact, no enforcement at all. Partial enforcement 


ee 





PoieomvLOnenrOrcement of @ sub-policy within tne contert of 
the overall policy. 

Policies are not problens {15]. Problems occur only in 
the implementation of a policy and are used to describe 
peeeretsS in the enforcement of some policy of interest. 

Applying some policy to a system makes no changes to 
moeeesystem at the time of application. Tnis m@ans tnat 
policies do not initially alter the entities with whirh tney 
Moememenather, Entities are assigned to an access class 
according to the policy. If an entity iS aSSigned to an 
access class such that its attributes require modification, 
or its relationships are invalid, or the entity itself does 
mot, velong within the systen, the system is not in 
conpliance with the policy. Action may be taken later to 
Deeeemcone system into compliance, but simply associatine tne 
policy with the system, in effect, only labels tne system 
Emi ties. 

Recognizing tne nature of a policy is important if one 
is interested in enforcement of policies in computer 
Systems. Tnis is because the logical nature of a computing 
@everee dictates a logical Specification of policy. Havine 
clearly described tne nature of a policy in general, one may 


now examine Security policies. 
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PemeeoeCURITY POLICIS 


security policies 


masses. Non~discretionary security 


referred to 


Pie classification Ot IntoOrmation 


establisn all 


gaining sone forn of access to objects) according 


wer ormation sensitivities. Such a 


to constrain 
oe 


Semon vity of all objects and 


eomsoiaered Externally 
pernissibdle 
tne 
subjects be clearly identified. 
Discretionary policies, in a 


mama rity of access control within tne 


DOLL CLes 


permissible access relations 
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(sometimes 


as mandatory policies), are policies which fix 
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(Vigo, suo jecus 
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of all 
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non-discretionary policies ot the system [3]. Autnorization 
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environment. 
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access an 
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information sensitivity of an object 
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Somvrotiable. Such policies are not practical wnen dealing 
witn many ot the National Detense issues. Because of their 
Panlted ta ba Lys discretionary policies are not as 
Mmmeresting aS non-discretionary policies nor is their 
enforcement such a critical issue. 

Senay NoOnediscmetionamy security policies are examined ir 
mmo discussion. It is sSsnmown tnat a]1 non-discretionary 
security policies can be represented as lattice security 


policies. 


eeu ATTICE SECURITY POLICIES 

A numbder of mnon-discretionary security policies have 
already peen described as lattice policies [12,21]. As sucn, 
the precise form of the lattice structure is helpful in 
understanding tne nature of tne policy [19]. 

A universally bounded lattice is a mathematical 
Pmmieurre consisting of a ftinite, partially ordered set for 
which there exists precisely one least common upper elerert 
(i.e., tne least upper bound (LUE)) and precisely one 
greatest common lower element (i.e., the greatest lower 
bound (GLB)) [22,23]. A partially ordered set, is a set, 9, 
[momeewhich arelation, &, is applied to Q such that &# is 
reflexive, antisymmetric and transitive [22]. For example 


Sonsider the set Q = { Q,* 459 4 q } and the relation R 


Dee 3G 

applied to Q such that a, Ra, Ge ees: q, is related to q, by 

relation R R PR R and Ra . The relation R 
i ee ae et ey, 
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Mmorns a lattice on the set Q@ with qa, as tne GLB and a as 
the LUB. 

When discussing fac tice Security pO Cles. one 
recognizes tne set 9 as tne set of access classes 
eStablisned by the policy. The access relation R, however, 
maveevary Sisnificantly from policy to policy. Tnis fact is 
not so well recognized. Dennings intormation flow model 
[13], for example, describes a flow relation, >», defined 
On pairs of access classes Such that for classes A and B, A 
—> 3 if and only if information in class A is permitted to 
flow into class B. This relation applies to compromise and 
subversion policies, for example, but is meaningless when 
discussing program integrity. 

Tnree relations between access classes are generally 
Sufficient to describe the specifications of any 
Momeanscretlionary security policy. For access classes A and 
B, these are : 

A > B Information of access class A 
is more sensitive than 
mic OonndttoOnuGl access Class 8 
A= 8 Information of access class A 
is of the same sensitivity as 
iT oOrldtion Of access Class 8 
A # B Information of access class A 
is in no way related to 
information of access class B 
The notion of sensitivity may be 2asily confused when 


G@escussinge several policies. Tnis is because the term takes 
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its meaning from the policy in question and cannot be 
meaacily associated with two diverse policies. For example, 
an object O may be > a Subject S with respect to one policy, 
feelin respect to another policy, and S > O with respect to 
Still another policy. Sensitivity, then, may not be useful 
fore discussing multiple policy issues. It is nowever, a 
useful intuitive term for describing the lattice nature of a 
ieee i.cy. 

Aad S autnoor advances the nypotnesis that all 
non~discretionary security policieS may be represented as 
merce policies. A sinple argument is offered in Support of 
this hypothesis as a complete proof nas not been developed. 

mem-discretionary security policies are establisned 
external to tne computer system environment. AS sucn, tney 
maernensome form of benavior between subjects and objects 
from which the system may not deviate without external 
authoritative approval. The system entities (i.e... the 
subjects and objects) must be clearly lapeled or cthnerwise 
identified with respect to the policy. Grouping those system 
entities whose labels are identical, one may establisn a set 
Of equivalence classeS which completely partition tne 
systems’ entities. One nay tnink of tnese equivalence 
classes aS labeled by the access classes. such a 
partitioning, for all practical policies and systems is 


finite. 
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One may then examine the relations between access 
Glasses with respect to tne policies. Enumerating all tne 
relations between access classes, one may draw a graph, such 
as that shown in figure 1, witn nodes signifyine access 
classes and arcs signifying that the access class of the 
higher node (i.e., closer to the top of the page) is more 
sensitive (>) tnan tne access class of tne lower node. 
Transitive relations n2ed not be drawn as their inclusion is 


mime) t and does not affect the graph. 


Ds vs <r 


Figure 1. Disjoint Partially Ordered Sets and Nodes 


If any cycles are discovered, in an attempt to construct 
paeewerapn, one may see that tne specification ot policy is 
not entorceable. That iS to Say, for some cycle ofr access 
classes A> Bo>...7%2D> A, the information sensitivity of 
sone access class A is at the same time > A anid = A. This is 
Gmmeparadox. Attempting to enforce such a specification is 
intuitively nonsense! SO Tats one is to nave a 
Memeaiscretionary security policy, viz., one which is to be 
enforced in amandatory fasnion, one may safely assume that 


pecs policy will specify no cyclic relations among tne access 





classes. Tnerefor®, one may categorically state tnat tne 
graph of any enforceable non~-discretionary security policy 
will never contain any cycles. 

Furtner examining tne grapn, one can observe that only 
two general structures may exist. Tne first consists of 
unrelated nodes (i.e., tnmose nodes which are singletons 
representing access classes with no frelations to otner 
mecesis classes in the praph). The other structures are 


partially ordered sets (sOme of whicn may be a lattice). 





PVCUGe ce. Lattice Structure 


Meetne Zgrapn does not contain a least upper bound, 
(LOB), one may arbitrarily create an access class 50 
Mestenated and establisn tne appropriate relations with 
respect to its sensitivity (see figure 2). This access class 
may also be referred to as tne “system nign.” Likewise, one 
may do the same for the greatest lower bound (GLB) which is 


generally known as tne system low. Note tnat, neitner tne 
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BPuemoonr the GLB need have any entities associated with their 
access class. By forming this Structure, one has eStablished 
faeeLattice. 

iaiceme all neon=discretionary security policies are 
ag vice Se curiuy Pott cies. Non-discretionary security 
Specifications tnat generate cyclic structures are not well 
memmed.s policies and as such, their enforcenéent cannot be 
evaluated nor can one consider such a specification to be a 


porwcy worthy of discussion. 


D. SIMPLE LATTICE SECURITY POLICIES 

A policy is a simple lattice policy when the policy 
establishes either one of two basic lattice structures. fhe 
first structure is formed by a Simply ordered (viz., 
linearly ordered or totally ordered) set of access classes. 
For example, some policy mignt establisn a simply ordered 
Structure wnere SECRET is more sensitive than (>) 
MemraDENTIAL > UNCDASSIFIED. Policies witn simply ordered 
sets of access classes are called “hierarchical policies. 

mee other basic lattice Structure 18S formed by a 
mutually exclusive set of access classes. For example, some 
Domercy Mlent establisn a mutually exclusive structure where 
CRYPTO is not related to (#) NATO # NUCLEAR. Those policies 
with nutually exclusive sets are called “category policies. 
One should note that, a “Compartment access class, 28.2., 


CRYPTO-NATO, is formed when sone restricted form of access 
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Peecorlahle tO two Or More otherwise mutually exclusive 
categories of information. 

nHecdit taat a lattice security policy partitions the 
systems entities with respect to their information sensitiv- 
ities, into a Set of equivalence classes that can be labeled 
Pyeetme access classes. Consider any two lattice security 
policies, P and Poe and some system containing a non-empty 
Sommeror entities, A. when Po Meomea pO abed. Cort neus ist Cn, 


feaepar tition, 7 is established creating the set of 


1 


equivalence classes, { e 2 Moiese, «08-4, "E-. se Ap Dlyine 
n 


le: ie i 
P, to this system so partitioned, refines the system 
Dpeaemcing a unique partitioning ie on nena tS simply the 


Dreoguct of Ths the partition induced by Ss and the 


a 


Meomter.on induced by Po S50 LO neecacn. ¢ an equivalence 


i? 
class created oy Pas a new set of equivalence classes, 
{ Cay Fyn eee OS tyes = Droduced . Tne perticoon 
jeronms 2 lattice, viz., tnat induced by the composite 
momicy PF. 

It readily follows that all lattice security policies 
are the product of one or more Simple lattice policies. The 
total non-discretionary security package for a system ther, 
SemarstS Of SOme Set of Simple lattice security policies 
successively refining the systems entities, none of which 
Meyeproduce conflicting policies. This is Shown to 06e 


particularly useful Knowledge when one attempts to use tne 


asSignment technique aS a neans Of Security validation. 
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BE. ACCESS RELATIONS 

PWS Doce 1cC memon—-discecretiondry s@curity policy will 
distinguish one or more distinct access fYrelations between 
miepects and oODJECtS. ASSociated with these cdistinctions one 
teveeegerive, where oot otnerwise specified, the set of 
“access rights  wnicn may be accorded to tne subject. Tnese 
access rignts specify tne liberties which the subjects may 
[ieemwrrn  TeSpect to these objects. Access rights are 
typically mirrored in the access modes oof the 
corresponding protection mecnanism. Although there exists a 
fine difference between an access right and an “access 
mode , viz., access rights are associated with security 
policies and ‘access nodes are associated witn tne 
protection mechanisms wnich enforce the molt v; this 
discussion frequently refers to an ‘access right as an 
“access mode because it is the access mode which must 
inevitably be questioned when evaluating the enforcement of 
a security policy. 

The enforcement ot a policy is fundamentally limited by 
tne systen’s granularity of access wnhicn may also be tnovent 
of as the system’s variety or richness of access modes. 
momaciesS that prescribe distinctions not recognized by the 
access control mechanisms must be enforced in an overly 
restrictive manner or ienored. For example. a policy 


addressing a concatenation access relation cannot be 
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precisely enforced on a syStem that does not recognize some 
monn Ot append access mode. 

The basis of all security enforcement evaluation lies in 
meme cepLability or da access relation. An access reldation 
is defined as a tuple (subject, access mode, object). This 
mupeesstenifies that @ relation between the subject and 
object erist such that the sudject is permitted to access 
the object witn all the privileges associated with the 
access mode. The problem of information security may 
generally be expressed aS the problem of permitting the 
existence of only those access Yrelations tnat in no way 
violate any of the applicable systems policies. 

One can see then, that the granularity of access control 
within a system is dependent upon the ability to distinguish 
attributes of subjects and objects plus tne distinct access 
modes available. The primitive access modes (i.e., tnose 
access modes tnat are not deconposable by the systen) 
associated with the design of the system, including tne 
protection mecnanisms, designate tne associated rients 
accorded to an access request. 

Wnen tne granularity of access is successively refined, 
one may observe two conflicting phenomena. First, the 
ability to distinguish between access relations is more 
pronounced, thus allowing for greater sophistication and 
variety in policy formulation. The problem, however, is that 


tne increased distinctions of access relations increases tne 
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Semplexity of the security evaluation process. Systems 


designers are facei witn tne problem of strixing a balance 
between the granularity of access and the complexity of 
system security validation. 

This nas not deterred the efforts of many systens 
Gesteners, however, as tne granularity of subjects and 
objects is quite refined in Many systems. Unfortunately, 
Euecmee systems, dimost witnout exception, nave failed to 
enforce even minimal nonv-discretionary security policies. 

Two generic access modes are particularly useful in tne 
discussion of security. These are [16] ‘observe’ (the 
ability to observe information) and “modify (tne ability to 
modify information). Other access modes may be generally 
moment Of a5 a finer granularity of tnese two access modés. 
fees so illustrates one sucn possible set of primitive 
access modes and how they are associated with the eeneric 


access nodes. 
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Figure 3. Generic Access Modes 


The problem of computer security enforcement can be 
reduced to the problem of limiting the access relations 


within the system to only those that neitner directly nor 


2g 


meerectly vicoldte the systems security policies. If one can 
establish that all of the access relations permitted in tne 
system are acceptable to the policy, one has eStablisned 


that the system is “secure. 


F. ILLUSTRATION OF POLICIES 

Mimeereviewineg the computer science literature, this 
author was unable to discover any illustration forms 
appropriate for snowing the features of non-discretionary 
security policies in sufficient detail tnat one could 
readily discern all permissible access relations within the 
system sinply by examining tne illustration alone. This 
section presents a review of the major forms examined and 
their failure to adequately illustrate access relations. It 
also provides two proposed alternative forms that more 
Clearly illustrate access relations of a system in a manner 
which leaves no doubt aS to the nature of the policy and the 


mevuerenents for its enforcement. 
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Figure 4. Basic Lattice Form 


Figure 4 shows a representation for a lattice structure 


conmonly found in matnematical texts [22,23]. With respect 
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to lattice security policies, each node represents an access 
class and the arcs Silenity that the node nearer the top of 
the page represents an access Class whicn is more sensitive 
than the lower nodes” access class. Thus, in figure 4 one 
may observe that A > D and B # A. Sometimes tnese arcs are 
labeled by "> Symbols, but this merely tends to clutter the 
illustration and provides no additional information. Note 
Poa tbnis form provides no information ere access 
relations without some Cramination of tne policy tnat 1s 
being illustrated, e.g., one cannot readily answer the 
question can a subject of access class A write to an object 
of access class D?” 

The form Shown in figure 5 [12,15], provides basically 
wees same information. This form illustrates the permissitle 
information flow that iS immediate and non-reflexive by 
Means Of directed arcs. Nodes are once again used to 
represent access classes. Access relations are SU 


mompeaiscernibl® by examination of the illustration alone. 
iow 

A B C 

St 

rs T i 


GLB 


Figure 5. Information Flow Form 


ol 





Another fOumeewoicn iS popular in capabdility-based 
protection systems researcn [24], illustrated in figure 6, 
is called a protection grapn (20). These graphs specity each 
Subject aS a Solid node, @, and eacn object as an empty 
node, O. Tne directed arcs between nodes specify tne 
access fYrienhts of the source by the associated labels. This 
form provides an extremely detailed means of frepresenting 
all access relations within the system. Unfortunately, this 
MmommmOorovides such detail that an illustration of any 
practical System becomes exceedingly busy. Thus one quickly 
loses the ability to distinguisn between access classes even 
when they are clearly labeled. What is needed iS needed iS a 
higner order of abstraction for tne presentation of 
practical systems. 


Captain} OD {Sitreps 








Adniral} O {Plant Status 


read Engineer} ™ D9 {Repair Status 
write 
append YW ,a 
execute 
take 
grant 
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Fieure 6. Protection Graphs [2¢] 
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iueure ( hepresents thesfirst illustration torm proposed 
by tnis autnor called an “access relation grapn . In tnis 
form, eacn node represents an access class as specified by 
meme policy. AL! non-reflexive immediate access relations 
[13] between access classes (except tnose that may 0be 
established by forming a transitive closure over some given 
access mode(s)) are grouped by access mode and shown as 
directed arcs labeled by the associated access mode(s). This 
form solves tne prodlen of the protection graph for 
non-discretionary security DOLi cy. representation by 
providing tne minimum information necessary for one to fully 


grasp all the security implications of the policy from a 


single illustration. 






m 
0 observe 


Figure 7. Access Relation Graph 
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meeeadccessS relation graph clearly shows all permissible 
meeeo> relations specified by a non-discretionary security 
policy. Reflexive relations, i.e., those with a Subject of 
the same access class as the object, need never be 
Specifically cited unless all access modes are not permitted 
meroin an access class. Antisymmetric relations are clearly 
defined by the directed ares. Transitive relations are 
mererred trom tne patn of two or more antisymmetric 
relations (viz., in figure 7 a subject of the LUB access 
class nay read from an object of the GLB access class). 
Therefore, the form meets the mathematical requirements for 
Memecice in that, all access relations for the lattice 
(i.e., a universally bounded partially ordered set) are 
meedriy illustrated. 

In its most delineated case, the access relation graph 
is reduced to a protection graph. The advantage of the 
wecess relation eraph over tne protection graph 1S 
Simplicity. Only tne access relations needed to represent 
tne policy are snown. Additionally, complex policies and 
composite policies are illustrated in one simplified form. 

mmowaer illustration form that is particularly useful 
when discussing uniform lattice structures (i.e., those 
Wemeoo TEClation eraphs where the acc@€ss modes between any 
two antisymmetric access classes are identical) is the 
linear access eraph. Such a eraph shows the security 


label(s) of the objects (i.e., now one frepresents. the 
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sensitivity of the object) and denotes the access modes 
mrarraddDle to subjects otf varying sensitivity witn respect to 
the sensitivity of tne objects. Figure 92(A) illustrates a 
meamore generdl ilnéar access grapn. In tnis figure, subjects 
with greater sensitivity than the objects sensitivity would 
enjoy the use of access mode(s) 2 when referencing tnat 
object. Subdjects of inferior sensitivity than tne objects 
Sensitivity would enjoy the use of access mode(s) 1 when 
referencing tnat object. Subjects of the same sensitivity as 
the object would enjoy access modes 1 and 2 when retferencine 
the object. The linear access grapn for tne Multics Ring 
Brackets, first pointed out to the autnor by R. Schell, is 
snown as an example of a familiar policy represented in this 


form in fieure 8(B). 


access mode i; 
system Secured ty System 
Hien Label | Low 


access mode(s) 2 


ea) 


execute 
Ring @ R1 he ot Roy 
| write Cdiedse dy eae 


read 
(B) 


Figure 8. Linear Access Grapns 
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The disadvantage of the linear access grapn is that it 
Semewonly be used for illustration of uniform policies, i.e., 
Mmiese policies wnere tne access relations between any two 
access classes (one of wnicn is more sensitive than the 
momer) are identical. Tne succinct nature of tnis forn, 
however, makes it possible to Capture tne essence of a class 
PemmemoriCles, 1.€., those which may be described by the sane 


linear access graph, without going into all the details. 


G. EXAMPLE POLICIES 

Having discussed the nature of policies in general, one 
momeenoW prepared tO examine Several Specific policies of 
interest. Sucn a discussion logically begins with the two 
broadest classes of security policies, 1.e., compromise and 


subversion. 


Modif 
Upper [Sensitivity Lower | 


himits Label Limits 
bserve 


Figure 9. Compromise Policy. 


A compromise policy, sometimes referred to simply as a 
Security policy, is one wnose primary intent is to pronibit 
the unauthorized observation of information. Figure 9 show 
the general form of sucn @ policy. Subjects may observe only 
those objects wnose sensitivity is less than or equal to tne 


Subject Ss sensitivity in order to prevent direct oposervation 
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mean ObDjJEct by an uneautnorized subject, viz., the Simple 
Security Condition {18}. In order to prevent indirect 
observation of objects by UNGUTNOFI Zed ScunJects, a 
sufficient but not necessary condition establishes that 
mog~tication of objects must at least be limited to those 
subjects whose sensitivity is less than or equal to the 
ebyects SOnSi iv uty. Vile toe §(Security) Confinement 
property -~ also known by a less descriptive title as the 
*—-Property [1¢]. 

A subversion policy, sometines referred to simply as an 
integrity policy, is the dual of a cOmpromise policy. The 
primary interest of a subversion policy is to prohibit the 
maaraonorized modification of information. Figure 12 
illustrates tnese general characteristics. Subjects may 
modify only those objects whose sensitivity is less than or 
equal to tne subject’s sensitivity in order to prevent 
@irect modification of an object by an unauthorized subject, 
foe, the Simple Integrity Condition [21]. In order to 
prevent indirect modification of objects by unautnorized 
sepyectS, a Sutficient but not necessary condition is that 
Soservation of objects must be limited to those subjects 
whose Sensitivity is less than or equal to the object's 


sensitivity, viz., the Integrity Confinement Property [21]. 
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Observe 


Upper [Sensitivity Lower 
| Limits Label | Limits 


Modify 


Figure 10. Subdversion Policy. 


mhe importance of subdversion policies snould not be 
underestinated (2,21]. Changing the course of an ICBM, for 
Peamre, should in mnost cases require & more sensitive 
authorization than simply knowing its course. Sucn policies, 
moewever, are often overlooked in many Command, Control, and 
Conmunications systems [2]. 

Anotner general class of policies tnat is of general 
interest in Security Kernel researcn, and whose title was 
coined during tne course of this researcn effort by R. 
Schell, are tn® “Program Integrity policies [4]. The notion 
Pep rosran integrity stems from the aesire to pronibit 
unauthorized modification of executable programs by less 
trustworthy subjects. In tne general case, one wisnes to 
ensure tnat the more sensitive programs are tamperproof. 
morener words, on@ wants to be sure tnat tne program can te 
“trusted to perform as specified and can not be “tricked” 
by merely reading data of lower sensitivity or “importance. 
For example, a system designer/programmer may wish to insufe 
meee nis programs always perform as specified in botn nis 
test environment and in any application environment. Unlike 


feortTict inteerity policy [21], program integrity is not 
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concerned witn the issue of general opservation of 
information. Program integrity is tneretore less 
conservative (and tnus more “risky’) than Bibas integrity 
mercy. Frogram integrity deals only with execution and 
merry cation of information. AS Sucn, figure 11 illustrates 


the general form of a program integrity policy. 


Brecute 
Upper Sensitivity Lower 
[Limits Label | Limits 


Modify 
Figure 11. Program Integrity Policy. 


enuem Nay guarantee that no direct modification of a 
program by an unauthorized subject (i.e., a direct threat) 
is possible by enforcenent of the following condition : 

Proer ine L ndi s tea Sua gect 
mass MOCIfy “access to Gh object, then tne program 
integrity of the subject is greater than or equal 
momvoe program inteerity of the object. 

Because program integrity policies are concerned with 
tne execution issue (versus tne observation issue ([(21J), 
moairect NiGgdatca tion Cra iotonrnatvwvon- 15 nOt. Strictly 
meer ted. This provides a certain degree of flexibility, 
but alSo produces a certain amount of risk [19]. Confinement 
mmmerecution reduces the risk of sucn an indirect threat but 
does not eliminate it. A more sensitive subject must be 


Mmestced not tO modify a less se@nsitive object eitner 
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intentionally or otnerwise. An indirect threat occurs when a 
Subject executes a program that has been modified by a less 
Maes woOrthy subject, therefore, one wisnes to confine tne 
execution access relations. Tne confinement property for 
Proeram integrity 1s defined as follows : 


Program Integrity Confinement Property : It a 


majyect Has Sx@cute accesse’to an opyect, then tne 
program integrity of the object is greater than or 
equal to the program integrity of the subject. 


The remainder of tne section discusses three policies of 
general interest to federal ADP users. Any computer system 
designed for use by the federal government, snould as a 
minimum, consider its ability to enforce these policies. 

mr National Security Policy 

The National Security Policy classifies information 
essential to the National Defense or foreign relations o? 
the United States. The President ot tne United States 
Berapiished this policy in Executive Order Number 12¢@65 
dated June 26, 19728 {25]. This order detines three levels or 
Seassification as follows : 

TOP SECRET = That intormation or material the 
moauthoribzed disclosure of which could redsonabdly 
be expected to cause exceptionally grave damage to 
the national security. 

SECRET : Tnat information or material ne 
unauthorized disclosure of wnich could reasonably 


be expected to cause Serious damage to the 
Mational security. 
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CONE IDENT HAS. < ~That information or material the 
Emawueor: zea disciosure of which Could reasonably 


be expected to cause damage to the national 
Secu ty 

PuprucCit ime thes set Of definitions, there -also 
exists a lass ig tecatwone sy Ot msi nhroOrmavion which: is not 
Smassified. Therefore, one nas four hierarchical access 
classes eStablisned py this policy, the intent oft which is 
to prevent unauthorized disciosure (viz., observation) of 
information so classified. Figure 12 shows the access 
melweation graph for this compromise policy wnich is referred 
to as the basic National Security Policy. 

Executive Order 12865 also establisnes [25] tne 
authority to originally Classify new invormation. 
Information may be classified Top Secret only by officials 
designated in writing. Information may be classified Secret 
mmey by officials who have Top Secret classifications or oy 
officials designated in writing. Information may be 
meciesifie€d Confidential only cy officials with Top Secret or 
Secret classifications Or aly OrtIiCiats designated in 
Boitine. 

MmeOnraer vO Obtain access to classified matériail, 
the order indicates that a person must be determined 
trustwortny (granted clearance) and tnat access is necessary 
in the performance of that persons’ duties ( need to know). 
This is a discretionary policy, fnowever, and will be 


discussed no furtner. All classified material skall be 
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mopropriately and conspicuously marked to put all persons on 
meer notice tnat the information is classified. Classified 


material no longer needed shall be promptly destroyed. 





Observe} {Modify 


ONCLASSIFIED 


aac ure he wras.c. NaLvonal Security Policy. 


2. National Integrity Policy 
Tae dual of tne National Security Policy is tne 


National Integrity Policy [21]. Motivation for sucn a policy 
comes mnoneune GCESITe — tO prohibit subversion, 21.@€., tne 
unauthorized modification of information. Tne following set 


Or integrity classes nave been establisned for tnis policy 


42 





a 





fea). implicit with this classification scheme, one also has 
manpormation that is not classified. 
TOP SECRET : That information or material the 
unauthorized modification of which could 
measOndOlyeeDe Expected to cause exceptionally 
grave damage to the national security. 
SECRET : That information or material tne 
unautnorized nodification of wnoicn could 
reasonably be expected to cause serious damage to 
the national security. 
CONFIDENTIAL : That information or material the 
unautnorized modification of which could 
reasonably be expected to cause damage to tne 
national security. 

One further point concerning Inteerity Policies must 
be emphasized before one proceeds. Generally speaking, one 
nas a ego00d notion of how to classify information with 
Mesepect to s@curity and unauthorized observation, but 
Classification with respect to integrity is not so easily 
identified. In some sense, integrity classification must be 
determined by the object's potential importance rather tnan 
mms CUrrént importance. Consider, for example, a simple 
Sine function tucked away in some obscure user library. If 
mise tunction is used to compute trajectories for an 
inter-continental ballistic missile, it becomes TOP SECRET 
with respect to tne National Integrity Policy, wnereas, it 


is clearly UNCLASSIFIED with respect to the National 


mecurity Policy. Classification of information witn respect 
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mom rnteerity will eenerally require considerable planning 
and foresignt [2)}. 
See Ti vacy 

Bier COde = or | Kaltw Information Practices and tne 
Privacy Act of 1974 establisned the following basic policy 
for the Federal Government [26]. 

(1) There must be no personal data record-keeping 
Systems whose very existéence is secret. 

(2) There must be a way for an individual to find 
out what information about him is on record and 
how it is used. 

(3) There must be a way for an individual to 
correct or ammend a record ofr identifiable 
information about him. 

(4) There must be a way for an individual to 
prevent information about nim that obtained for 
ome purpose, from being used or made available for 
other purposes witnout his consent. 

(5) Any organization creating, maintaining, using 
meeeec SSeNinating records of identifiacle personal 
data must guarantee tne reliability of the data 
for their intended use and must take precautions 
to prevent misuse. 

All information systems (including computer systems) 
used by the Federal Governnent are subject to tnese privacy 
requirements and must incorporate a corresponding set of 
safeguards when tne process Privacy Information. 

These three policies are applicable to many Federal 
data processing appr acas tons. Numerous otner 


non-discretionary policies exist botn in tne Federal, State, 


and Local governments and in private industry. It nas been 
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mown in this section 


descibed using 


meapns as described in 


so described, 


considered. 


access 


a precise 


that these policies may be precisely 
relaviOnwmmemapns “Or sline€ar eccess 
this section. Once a policy has been 


evaluation of its enforcement may be 
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IIL. A FORMALIZED NOTION OF DOMAINS 


The notion of a domain has not been clearly presented 
in a precise manner, nor properly defined. Dennis [5] 
introduced the concept by describing a ‘Sphere of 
protection. Lampson [6] refined tne concept, coining tne 
term ‘domain, and defined a domain as a group of 
capabilities or protected names. Schroeder [8] mnaintains 
Lampson’s definition, but provides an in-depth discussion 
miageeeprese€ntdation of nis ideas, méeny Or wnicn were 
meearumental in the formulation of th® concepts presented 
mene. ochroeder furtner retined the ideas from nis tnesis, 
and together with Saltzer [14], defines a domain as a set of 
mummercets that nay be accessed by a principal. This definition 
is the most commonly accepted today, but for any rigorous 
ag@iscussion of iomains, or for presentation of a concept such 
Pemeore asSienment technique, a nore formalized definition is 
needed. 

An access domain Memes a: Tube, (a, Po: oe 


Ls 


a ), where n is the number of primitive (non-decomposabdle) 


meeess MOdeS in the system and aa Monune Set ot all objects, 
{ 0.» Os veer On see, O| fF, accessible by the "i th 
access mode. An (access mode)-domain iS the Set of objects 


that a process executing in that domain (i.e., a supdject) 
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mesetne rieht, or privileee of, accessing according to the 
moees fOr that particular access mode. 


Consider tne following examples of domains: 


A,? (Opserve(O0):{A}, Modity(M):{3B} ) 


5: (OstAyB, CH, M:iA,E.CH ) 


Nee On AC 4D}. stot) 


Aye COMA R Cat. Mit ALE C.D?) 


The observe-domain of A, (denoted as OA, jae S Ob ec tart 
and the modify-domain MAS PSeoO 0} eCt. 8. Note that simply 
Bererringe to Ay aS containing obdjects A and E would not 
Brovide much insight into the true nature of this domain 
[14}. 

The notion of dominance’ with respect to domains was 
introduced by Grohn [16]. These notions are rerined trom 
security dominance and integrity dominance to a more general 
definition of dominance. 


A domain, A; dominates (o<) A. ifvend only 12 (ret) 


for each access mode “a, ads & adj. This is 


particularly useful wnen discussing tne relationsnip 


between domains with respect to access modes. One can say 


that for some as aA; o<¢ a4 ee a4 cS aA;. 
Continuing with the previous group of example domains, 


OA, & OA OA. © OA., MA, eof MA, MA oc MAL, A 


4 3 i “ 3 Sh 3 4 


a 
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og A, but A, does not dominate A, Similar examples 
can be formulated by the reader. 

Dominance domains may te labeled for convenience. In tne 
Multics system, for example, the dominance domains 
establisned by tne ring mé€cnanism were known as rings and 
were labeled by ring numbers. Schroeder’s protection 
mechanism also uses numbers as labels for dominance domains 
{8}. 

The systems protection mechanisms establish a Set of 
doninance domains that can be used for evaluating the 
protection mechanisms. These dominance domains dominate all 
domains that currently exist or may exist witnin the system. 
If one can establish the set of dominance domains for the 
system and one€ can snow that tne policy holds for tnese 
domains, then one can show that the policy holds for all 
donains. 

A mechanism, in the most general sense, is sometning 
that prevents the occurrence of certain sequences of 
operations [15]. A protection mecnanism, or an access 
mmerot mechanism, can be defined as something tnat prevents 
the unautnorized access of information. In the broadest 
sense, one nay include as protection m@cnanisms sucn things 
as walls, patrol dogs and cypner locks. More specifically, 
tnougn, a protection mecnanism for a computer operating 
System is a procedure, implemented in software, firmware (if 


Meere is such a thine) or hardware, that pronibits tne 
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access of objects within a system such that the domain of 
any process is dominated by some particular dominance domain 


inherently established by the protection mechanisms. 





Wigore 15. “Multics Fines 


The Multics Ring Mechanism [28] is a well known 
meorection nechanism that provides an excellent example for 
the discussion of dominance domains. One may think of these 
doninance domains as a set of concentric rings (illustrated 
in figure 13), each numbered in increasing order from tne 
momer="OoSt rine or kernel. The kernel is conventionally 


assigned ring number zero. 
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The Multics King Mechanism determines the authorized 
access of a subject by means of tne current ring nunber (r) 
that specifies the dominance domain. Discrimination among 
mogects is by means of a ring bracket. The ring bracket is a 
three-tuple (R1, R2, R3) where R81, R82, and R3 are ring 
numbers and Ri must be numerically less tnan or equal to Re 
which is less than or equal to RS. Access is characterized 
myeeene rules tllustrated in tne linear access grapn snown in 


figure 14. 


Execute Call (as a gate) 
Ringe @ RI R2I RS 


Write (Modif 
Read (Observe 


Figure 14. Multics Ring Mechanism Linear Access Graph 


Consider now a system that usesS the Multics Ring 
Mechanism and discriminates among rour distinct hierarcnical 
rings (@ tnru @). One may tnink of tne domains estabdlisned 
by this system as Ag» Al, As, and Aa. Consider tne 
rules of access estabdlisned in figure 14, wnere MA 4 is tne 
Objects that may be motified by a process in domain ¢. Then 
MA o MA a MA ox MA, ° Likewise, 9A 4 o< OA, 
S* 0A, Doe OA,- No Such relationship exists for execute or 
call (as a gate). EA, does not o EA,, as R2 may be 2 for 


Sone object X, in which case X € EA DU te Zé mA,- 


Likewise CA, (the Call (as a gate) domain of ~ ) does not 


> CA. as R3 may be zero, for example, in which case, Ri 
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and Re must be zero, ruling out tne 
SuccesSive dominance cali-domains. 

Note that a single object may be a 
dominance domains. Some object X, with ring 
is a member of OAg, 94,4 Ins MAge Bdg> 


CA3. Theretore, X € Ao? Ay» A. and 


2 
can be confusing as an object is a distinct 


represented by a Single image. 


poss ho biwy of 


member of several 
Brackets (2.2,6). 
We 
ZA,» EAs » and 


A anes CONCEDt 


3 a 
Pitty. senerally 


Tnis section nas establisned a formal detinition of 


domains suitable for discussion of complex 


domain’ related 


issues. Tne notion of doninance domains was introduced and 


their relationship to protection mecnanisms 


establisned. The 


Multics Ring Mechanism provided an example of tne means by 


which one nay evaluate tne dominance domains estanlished by 


a protection mechanism. Having frormulaized 


these concepts, 


the relationsnip between policy and mechanism may now be 


investigated in an organized manner. 
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I¥. THE ASSIGNMENT TECHNIQUE 


This section introduces a mathematical tramework tor 
evaluating tne reljationsaip between non-discretionary 
security policies ani protection mecnanisms. An evaluation 
approach, terned Tne Assignment Technique’, utilizes the 
entity - relationship model in establishing an assignment 
Berween the security classes of information estabdlisnea by 
the policy constraints, and dominance domains, estadlishned 
Pemeume properties of tne mechanism. Tne assignment technique 
provides a theoretical foundation Lor assessing the 
Berrci€ncy of dan access control mecnanism with respect to a 
well formed protection policy. 

This section begins with a general discussion of tne 
meaning of assignment . It then proceeds to introduce the 
assignment technique Pigwiteececnends torn. ~ine “section 
concludes witn a simplification of tne assignment tecnnique 
feemeepossidble by tne lattice nature of non-discretionary 


Security policies. 


A. ASSIGNMENT 
Assignment is tne establishment of a relationsnip 
between two entities such that the first entity is assigned 


to the second entity. Matnematically, tne term assignment 


is not Sienificant. One could easily have said that entity i 
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is related to entity 2. Intuitively, nowever, assignment is, 
associated with tne connotation to fix autnoritatively . 
This precisely describes the manner in which Tass 
relationship is establisned. 

Assignment may be denoted by a grapn from the first 


entity to the second as follows: 


Gorter) —————> Gavi 3) 


“45 aSSigned to 


It is important to recognize that assignment does not 
alter either entity. Assignment is merely the act of 
associating an entity or set of entities with some other 
entity or set of entities. 

Another way to describe assignment is in terms of tne 
act of forning a tuple (entity 1, entity 2). Additionally, 
one may think of assignment as a function (i.e., “is 
assigned to ) where the assignment process establishes a 
meppinge between two otnerwise disjoint entities. Regardless 
of the context of discussion or the symbolism used, one may 


simply .thnink of assignment as tne act of associating one 


thing with another. 


B. THE TECHNIQUE 
The essence of the assignment tecnnique is relatively 
Simple. First of all, consider the nature of a lattice 


Security policy. Such a policy partitions tne objects of a 
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System into a lattice of equivalence classes labeled by the 
access classes as discussed in section II. Eacn equivalence 
class can be thought of aS an entity that may be Subject to 
assignment. 

Then consider a mechanism, which establisnes a lattice 
of dominance domains as discussed in Section III. Hach or 
these domains can also be thought of as an entity that may 
be subject to assignment. 

Since an assignment can be establisned between any two 
entities, one can make an assignment between the equivalence 
classes establisned by a lattice security policy and the 
dominance domains establisned by some protection mecnanism. 
One may tnen validate tnat (for tnis assignment) tne 
mechanism VS) SUE CITeMG 60 SUppOTt this policy. This 
validation is made by examining the set of access relations 
that the necneteen permits, and testing for possible 
mrobtations of the policy. 

Tne assignment tecnnique can be acescribed more 
Systenatically as follows: 


1) Determine if tne policy is a lattice 
policy. If not, the assignment technique does not 
apply. 


2) Establisn the set of equivalence classes, 
{ Cl» C9 » eees Ck » eees Bd ee that are 
associated with each access class. 


3) Determine tne set of dominance domains, 


mee eee oes «Sq )«6},)6=«6Cthat. «are 
establisned by tne systems protection mecnanism. 
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4) Make an assignment from e, to Ag: 


5) For this assignment, examine tne access 
relations permitted by tne mecnanism, testing for 
possible violations ot tne policy. 

6) If no violations can exist, tne mecnanism 
is sufficient for the policy in question. 

step 4 of tne assignment metnod allows for considerable 
flexibility in the manner in wnicn assignments can be made. 
Any possible mapping from equivalence classes to dominance 
donains may be considered. This flexibility, however, 
mummies COnSsiderable effort in order to determine that a 
mechanism is not sufficient for a given policy. Fortunately, 
in this thesis one is specifically dealing with the security 


issue. Because of this, several refinements can be made tnat 


greatly simplify this task. 


C. SIMPLE ASSIGNMENT 

The question of how one chooses to make asSignments 
(i.e., tne cnoice of an assignment scneme) may seem 
relatively complex upon first inSpection of the assignment 
rechnigue. Tne problen, nowever, becomes almost trivial when 
dealing witn simple non~discretionary security policies as 
is shown by the following arguments. 

First of all, it is clear tnat tne equivalence classes 
(establisned by the policy constraints) represent distinct 
access classes. It is also clear tnat tne dominance domains 


memmesent distinct sets of objects. If more than one 
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eauival@nce class were assigned to tne same dominance 
domain, then there iS notning in tne mechanism TO 
[eemningeuilsh between the access classes. But tne policy does 
draw some distinctions between tnese access classes (i.e., 
merermeee Stinctlion establisned by the detinition of the access 
classes), so it would not be possible to enforce the policy 
With Such an asSienment. All Such asSignments can  0be 
eliminated, a priori. 

On the other hand, if one equivalence class was assigned 
to more than one dominance domain, tnen some distinction is 
being made for an access class that is not specified in the 
policy. In some cases, one may find that such distinctions 
produce violations of the policy. Altnough other cases may 
not do so, tnese extra dominance domains are unnecessary, 
providing distinctions which have no Significance. 
Tnerefore, tne numper of dominance domains of interest 
establisned by the mechanisms should be Squal to the number 
otf access classes eStablished by the policies. 

One may attempt to argue tnat tnere may exist dominance 
domains that do not receive an asSignment. Such domains, 
however, must be either empty or in no way allow for an 
exception to the enforcement of the policy. AS Such, one 
need not be concerned witn the question of tneir existence. 
One need only concentrate on the dominance domains for which 


the asSignment was made. 
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Considering assignment aS a function, it has been 
Berabplished that the only assignment scnemes of interest are 
bijective (i.e., a one to one and onto relationsnip between 
the access classeS and tne dominance domains [([22]). This 
provides some improvement, but one is still faced with at 
least p! possible asSignment schemes to evaluate (where p is 
the number of access classes establisned py tne policy). 

One may gain considerable improvement, nowever, by only 
attempting to validate one simple mecnanism witn respect to 
one Simple policy ata time. Furthermore, the knowledge of 
partially ordered sets may be used to make our assignments 
in a very selective manner. This is done by first requirinese 
Sate tne lattice for tne dominance domains of interest tnat 
one considers for assignment, be an isomorphic image of that 
for the equivalence classes. This may not be a necessary 
condition, however, it in no way invalidates the results 
shown (as one wouli otherwise be dealing with an isomorphic 
Sub-image establisned by tne necnanism), and it is nelpful 
Mmoeenis discussion. 

When considering tne isomorphic image otf a lattice, the 
problem of assignment igs reduced to a question of 
orientation. One may either assign the greatest lower bound 
Mretune lattice to the greatest lower bound of tne image, or 
assign the greatest lower bound of the lattice to the least 


upper bound of tne image. Any otner assignment would not te 
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acceptable as it would violate the orderine ot the lattice 
or of the image. 

So for a system of “kK isomorphic images of the lattice 
establisned by the policy, one need only consider at most, 
2k assignment scnemes. In most practical cases, when tne 
mechanism eStablishes iSomorphic images which are identical 
in their access control properties because of tne uniform 
nature of the mechanism, one need consider only 2 assignment 


schemes. 


The Simple Assignment Theorem : For any Simple 


iMmarta1ce policy dnd an isomorphic image estabdlisnecd 
by some protection mechanism, no more than two 
asSienment Schemes are necessary to validate the 
ier incrency of the mecnanism to enforce tne 
policy. 

PeOOtmmare Fob ss Ne proot proceeds by snowing 
that two assignment schemes are reasonable and 
that all others are not. 

1) Make assignments starting from tne greatest 
lower bound (GLE) of the lattice to the GLB ot the 
moomorpnhic image. Then assign every reacnable 
access Class (i.e., those of unit distance) to a 
reachable dominance domain in the isomorphic 
image. Next assign all reachable access classes 
from those just aSSigned (which are not already 
assigned) to a corresponding reachable dominance 


domain. Proceed in this fasnion until all access 


classes nmave beé€n assigned. An assignment sucn as 





Bates mown Tenre 25 will result; where the LUE 
is aSSigned to the LUB, Ais assigned to A’, Bis 
ssisuened tOlB «. and so forth. 

This assignment iS a valid asSignment in that 
an assignment can be nade from tne access classes 
to the dominance domains tnat iS not innerently 
maAcorre ct and thererore is Wor ny Ot 
Ponsid2’ration. Fnis does not mean taat tne 
protection mechanism iS CULT ICLlent: tOr. “this 
assignnent. It only inplies Tad t sucn an 


assignment scneme iS wortny ofr consideration. 


ACCESS CLASSES DOMINANCE DOMAINS 





Figure 15. GLB to GLE Assignment 


2) Now considér a second practical assignment. 
This assignment starts from tne GLE of tne lattice 
mekxing an assignment to tne LUB of tne isomoronic 
image and proceeding as in the first assignment 
Scheme. The resulting asSignment is illustrated in 
tigure 16 wnere tne LUB is assigned to the GLB, A 
is assigned to D’, D is assigned to A’, and so 


mOFtH. 





ACCass CLASSES DOMINANCE DOMAINS 





Figure 16. GIB to LUB ASSignment. 


Mies toe tmeoOrtant » LO Note taat if the lattice 
Penicture iS “mot uniform, 1.e., inverting the 
mapoice woOuld not produce the same image, tnen 
Only one of the two aforementioned assignrent 
schemes will pe successful. This limitation occurs 
because one encounters some set of reachadle 
mecess classes during assignment tnat nave no 
corresponding reachable dominance domains. 
mwever. tOr any lLattic® structure, uniform or 
otherwise, tnere will always ode one assignment 
memene to an isomorphic image thet is worthy of 
consideration. This leads us to the followings 
eorollary. 

COrOomedmea. Or any Lattice policy -and 
an isomorphic image establisned by some 
Probece Lon Mechanism, taere mists at 
least one valid assignment scheme. 

EmvoOOns oo Kemte n Coroliary 1) : The proof 
is trivial from the definition of an 
isomorphic image. If a lattice has an 
Poon pahcmetmadee, then, dt beast one 


ordering of modes in tne image is 
fdentieal to the ordering otf nodes in 


60 





CiemeanE ree wr tLoererore, this ordering is 
wortny of consideration. 


3) Now consider the assignment of the GLE 
access class to any dominance comaixn other than 
mie LUE or the GLB. It this is done, then some 
other access class must be assigned to tne LUB 
wimenance domain and Still another access class 
Must be assigned to tne GLB dominance domain. But 
et the isomorphic image iS tO maintain the 
mraering of the access classes, then there exists 
some ordering which iS not valid because either 
the GLB or tne LUB of tne isomorpnic image is to 
be considerei less than tne GLB (in the image) 
wnich must be the least element (viz., least 
sensitive) according to the policy. Therefore, 
myen an assignment Can never be valid. Tnus one is 
meauced to the task of considering only two 


possible assignment Schemes of interest. 


Yne can furtner simvnlify the assignment tecnnique by 
Combinine steps 4 and 5S. This iS accomplished by makine an 
assignment and examining all access relations producible 
immediantly. If an access relation is not valid, one can 
quickly determine that tne assignment scneme in use will not 
validate the sufficiency of the mecnanism. 

Wnen one is dealing Viti mote m= cOomoler: taptice 


Structures, one is faced with two alternatives. One can 
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Papper validate tne sutticiency of the mecnénism for eacn 
Spe policy, establishing that if eaca Sub] pe Licy 1s 
mmeorced, then the complex policy is Snforced, or one may 
choose to validate tne complex policy Dy a Sstraignt forward 
assignment. hen using a sStraignt forward asSignment 
aproacnh, One must remember that tne Simple Assignment 
Theorem may not apply. This is of no particular consequence 
meee validating a protection m@cnanism designed for a 
particular PO cy where the assignments are cnosen 
carefully. Eowever, establishing the insufficiency otf an 
arbitrary mecnanism may require considerably more effort. 
The basic principles associated with the assienment 
mecmnique nave been presented in this section. One may now 
consider some Simple examples that illustrate tne usefulness 


of assignment. 
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Ve. MECHANISM SUFFICIENCY VALIDATION BY ASSIGNMENT 


One of the most practical uses for the asSiegnment 
meenmmiague is sufficiency validation of protection mechnanisns 
(i4.e., validation of their ability to enforce security 
policies) [(4}). In contrast to ovner validation tecnniques 
[11,17], tne assignment technique presents a metnod wnose 
mathematical model (i.e., the entity-relationship model) is 
based upon the nature of security itself, rather than otner 
methods which adapt the nature of security into a form 
designed to mesh witn tne prescribed format of some well 
Known mathematical model. This section discusses mechanism 
Surficiency validation by assignment for several well Known 
linear non-discretionary security policies. Although the 
Breanciples discussed in this section apply for all lattice 
Security policies, only binear lattice policies dre 
feeeemose€?a in this s@ction as tney provide a sufficient 
foundation for tne discussion of any lattice policy and ars 


more clearly illustrated in this context. 


4. MOLTICS RING MECHANISM ASSIGNMENTS 

Tne question of tne sufficiency of tne Multics Ring 
Mechanism for enforcement of the basic National Security 
policy was tne initial problem tnat prompted the current 


research effort and led to tne formulation of the assignment 
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technique. [t 1S appropriate then, that this analysis be 
presented as = an introductory application of simple 
assignment. 

1. Compromise Policy 

As stated previously in section II, the basic 
meromal S@curity policy is a simple lattice security 
policy. Figure 15 illustrates tnis policy. 

The dominance domains of the Multics Ring Mechanism 
are most frequently snown as concentric rings numbered in 
increasing integer order from the innermost ring or the 
kernel. The security kernel is generally assigned ring 
number 9%. For simplicity, only a system with rings 6 thru 3 
is shown in this analysis. AsSignment to otner ring numbers 
(such as 2 thru 5 or 4 thru 7) will produce similar results 
because of the uniform nature of the Multics Ring Mechanism. 

Consider as the first assignment scheme, the 
assignment of tne TOP SECRET access class (the least upper 
bound of the policy) to ring @ (the least upper bound of tne 
dominance domains). Tne assignment produced is illustrated 
in figure 17. 

Next, according the assignment technique, one must 
examine the access relations permitted by the mechanism and 
test for possible violations of the policy. In order to do 
sO, one must first examine the nature of the Multics Ring 
Mechanism more closely. A detailed discussion is given by 


Schroeder [27], however, a simple explanation of the 
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pertinent details as used in this discussion 1s provided for 


those readers not otherwise ramiliar with Multics. 


eee Rine @ 
is assigned to 


a Ringe 1 


oa {Modity rs ee 





ee Ring 2 
iS asSigned to Se ee 
Observe} - {Modify 
UNCLASSIFIED gee Ringe 3 
is assigned to Pee ee ee 


Figure 17. Basic National Security Assignment 1. 


The Multics Ring Mecnanism determines the autnorized 
access of a process by means of the current ring number (r). 
muse dad process which is executing in ring number 1 would 
need to be cleared for at least SECRET information according 
to tnis assignment scneme. 

The Multics Ring Mecnanism discriminates among 
objects by means of a ring bracket. The ring bracket is a 
three-tuple ( R1, R2, R3) where R81, R2 and RS are ring 
numbers and R1 ¢ R2 < RS. Access to objects is restricted 


Such that the current ring of execution must be less than or 
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equal to Re to observe information and less than or equal to 
R1 to modify information. Figure 12 snows cnaracteristics of 
the ring brackets both in terms of the access modes used in 
tnis discussion and tne access modes used in Multics. 
Cd ve 
Ring @ Ri R2 
Write (Modif 


Read (Observe 


Figure 18. Multics Ring Mechanism. 


Continuing now with tne examination of access 
relations, consider an object that femeincedricd as SECRET. 
Such an object must be assigned a ring bracket sucn tnat it 
may be observed by processes in ring @ and ring 1 only. R2 
muse therefore be 1. This presents a problem. No matter what 
value one may choose for Rl, a contradiction occurs. If Rl 
is @ or 1 tnen TOP SECRET processes may nodify SECRET files 
violating the Confinement Property. If Rl iS greater than l, 
meemeerestrictions of tne ring mechanism would be violated 
(viz., Rl > R2). Tnerefore, one can conclude tnat this 
assignment is not acceptable. 

Consider now tne only otner potential assignment 
Scheme where the greatest lower bound of tne lattice (the 
UNCLASSIFIED access class) is assigned to rine 0. This 
assignment is illustrated in figure 19. 

One may now attempt to assign ring brackets to an 


Object classified SECRET. A problem occurs immediately. One 
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wants processes executing in ring 2 to observe SECRET 
objects, but then a process in ring @ (i.e., an UNCLASSIFIED 
process), will also be able to observe tne object. Tne 
ample Security Condition cannot be enforced with tnis 


assignment, so tne assignment scneme is not feasible. 


eee ee ae ain 
a a Ringe 3 
is assigned to 
eo ge On ne 
a Ring 2 


“is aSSigned to. 


- Roe 


“is assigned to. 





UNCLASSIFIzED 


is assigned to 
Figure 19. Basic National Security Assignment 2. 


Sie neither of tnese asSignmernts are acceptabdle, 
and snifting tne ring assignments numerically would yield 
Similar results, one can see that no assignment will be 
acceptable. Therefore, the Multics Ring Mecnanism is not 
sufficient to enforce tne basic National Security policy for 


conpromnise. 





me sunversion Policy 

The basic National Integrity policy [21] is tne dual 
Meee the basic National Security policy. Wnereas the security 
mererey iS concerned with the unauthorized . observation of 
maeormation or compromise, tne integrity policy is concerned 
with Pie inautnort ed ms icatttecattour, Of Si inrornmation or 
subversion as discussed in section II. 

Consider first tne assignment of tne TOP SECRET 
access class (the least upper bound for the lattice 
establisned by tne policy) to Ring @ (the least upper bound 
tor the dominance domains established by tne mechanism). The 


assignnent produced is snown in figure 26. 


Se Ringe @ 
is assigned to 








Modify} {Observe 


Ring 2 


is assigned to 


Modify} {Observe 


> Ring 2 


"is aSSiened to. 
ee eee 
Moaity}| {Observe 
UNCLASSIFIED) <—————> Ring 3 
is assigned to Se 


Figure 20. Basic National Integrity Assignment 1. 


68 





One nay now examine tne access relations wnicn tne 
Multics Ring Mecnanism will permit (as snown in figure 18) 
mmgeevest for possible violations of tne policy. In so doing, 
one encounters violations almost immediently. One wishes to 
nave a process executing in Ring 1 (i.e., a SECRET process), 
tor example, to be able to observe TOP SECRET objects in 
meme 2, but the mechanism prohibits tnis observation. 
Additionally, a SECRET process could oboServe CONFIDENTIAL 
murormation violating tne Integrity Confinement Property. 


Therefore, this asSignment Scheme iS not feasible. 













ty 
TOP SECRET ) —————_——"__>> Ring 3 


"is aSSigned to. 

voatey}| | irorecere 

a Ringe 2 
1s assigned to 


voaityh| | {Observe 


CONFIDENTIAL) ———————________> Ring i 


"$s aSSigned to” 


woaty) | | {Observe 


UNCLASSIFIED) ——————————————-—- Ring @ 


"iS aSSigned to 
Figure 21. Basic National Integrity Assignment 2. 
Consider now the only other potential assignment 


scneme (viz., according to tne Simple Assignment Tneorem) 
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wnere tne TOP SECRET equivalence class iS asSigned to Rine 
3. This assignment scneme is illustrated in tigure el. 

Doane OS ~aSstennent, consid@r an otject that 
is classified as SECRET. Sucn an object must be assigned a 
meee Oracket such that it may be observed by processes in 
Ring @, Ring 1 and Ring 2 only, so Re must be assigned ec. 
ere 2 15 <, OnE 15 faced with a contradiction In the 
assignment of R1. If Rl is assigned @, 1 or e, then a 
meordt~on of the Simple Integrity Condition occurs because 
UNCLASSIFIED subjects may then nodify SECRET opnjects. If Fl 
is assigned 3, tne Ring Bracket constraints are violated. 
Tnerefore, this assignment scheme fails to provide an 
assignment where the protection mechanism can entorce this 
policy. 

According to the Simple Assignment Theorem, there 
Pepeewno other assignments wortny of consideretion. Therefore, 
the Multics Ring Mechanism is not sufficient to enforce tnis 
Soricy either. 

So far, it nas been snown that the Multics Ringe 
Mechanism is not sufficient to enforce the odasic National 
security policy nor the basic National Integrity policy. 
However, a Multics Security Kernel nas been designed [28,29] 
that is sufficient to Support both of these policies. This 
mae seem to be ad contradiction but it is not. Tne confusion 
is dissipated when one asks tne question, ‘What form of 


policy does the Multics Ring Mechanism support? 
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eee roecram Integrity Policy 
The general form or Program Integrity policies was 
introduced in section II. Consider now the specific program 


mycveerity policy shown in tigure 22d. 


(Max PT Min! 
| Modify | 


Read 
Figvure = 2c. A Program Intveerity Policy. 

Recording. to, this policy, entities are partitioned 
into one of four access classes designated as User, 
Supervisor, Utility or Kernel. The sensitivity of these 
access classes iS specitied as : Kernel > Supervisor »> 
Mtility > User. An assignment to a Multics ring structure is 
made as shown in figure es. 

Neca | ines Vac. CcNnadracteristics of ring brackets shown 
in figure 18, “Max is designated as Ring 8, the program 
integrity access class (PI) as Rl and Min ag R2. One may 
Move that tor this policy any choice for Re greater than or 
Pome tO Rl will do. Tnis analysis, Nowever, nas fired R2 at 
Se 

RPcecordine to the dssignment technique, one must now 
examine the access relations permitted by the mecnanism and 
mest fOr possible violations of tne policy. Unlike previous 
examples, where the mechanism was obviously not sufficient 


to Support the policy (i.e., only a single counter-example 
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was necessary) tnis example exanines a policy tnat is Llixely 
to pe supported by the Multics Ring Mecnanism. Knowing tnis, 
muse ens appropriate to present a more careful approach for 


tne validation of this assignment. 


a 
“is assigned to 


a eae Ring 1 
1S aSSigned to 


nS Ring 2 





= = Ringe 3 
is assigned to ee A 


Figure 23. Program Integrity Assignment l. 


For simplicity, one may refer to & (tne first 


equivalence class) as Kernel (i.e., the access class that 


dabels tnis equivalence class of subjects and objects}, e) 


as Supervisor, e, as Utility and e, as User. One may also 


refer to Ag (tne first dominance domain establisned by tne 


Multics Ring Mechanism) as Ring @, A, as Ring 1, A. as 


Ringe 2 and A, as Ring 3. Tne assignment scneme consists of 


ie 





0 (Kernel to Ring @), e, to A, CSUpervauser 


to Ay (Uriiity = toe hine 2), to A. (User 


assigning EO to A 
movhine 1), e5 =e 
mor Ring 3). One can now evaluate the access relations 
permitted by the Multics Ring Mechanism and compare them 
witn tne policy. 

Examining the read access first, one notes that the 
meties Ring Mechanism provides no discrimination for read 
access Since R2 is fixed at 3 for all objects. Thus subjects 
im |S OA A 


he Or A] Nay read objects in A 


A A 


ay ile 2 3 Q’ pee 2 
and Aye ThrsecorrespondsS with the access riehts of the 
policy whicn states tnat subjects in ey» el» e, or e, may 
read objects in en? el ce. and C3: Therefore, the mechanism 


momsutticient with respect to the read access relations. 
Next, examining the modify access relations one may 
observe that MA, of MA, Oo MA, of MA,. Thus a subject 


mo |OCOA may modify objects in A Macon oh This 


0 Os dis 2 a. 
Sormresponds to tne access rignts of tne Kernel access class 


A 


mieunat a subject in e. may modity objects ine,.,e e. and 


0 0 le a2 


e Sxaninineg A one observes tnat a sudject in A. may 


a de 
modify objects in A 


1 
Or but not in . as 

i ere 78 49 

Berresponads with tne access rignts of the Supervisor access 


class in that a subject in e,. may modify objects in e 


o 
No 


1 dee 2 
and e, but not in eye Examining An» one observes tnat a 
Subject in A. may modify objects in A. Or A, Dut, Not an 
Ao or Al: This corresponds with the access rights of 


Paes Utility access class in tnmat a subject in e, may modify 
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mojects in 25 or 26 but not in =F Or on Finally, 


examining A one observes that a subject in A. may only 


a 


modify objects in A This corresponds with the access 


3° 
rignts of the User access ClassS iN that a subject in e , 
may only modity objects in E> Therefore, the Multics 
Ring Mechanism is sufficient to support tnis policy with 
respect to modify access relations. 

Next, examining the execute access relations one may 
observe that XA. some XA, o< KA, ae KA: 
phe inverse of the modify access relations. Tnus a subject 


Phis. LS juse 


in A, may execute objects in Age A LOT A This 


IL 2 oe 
corresponds to the access rights of the User access class in 


that a subject in @, may execute objects in eg? ey: e5 and 
O36 Examining Ass one observes that a subject in A, may 
execute objects in Ags ve Or si Out -00t, 100 2A Ens 


i 2 Be 
corresponds with the access rights of the Utility access 


On ar 


and @5 but not oo Q3- Examining Ay: One observes that a 


SrasS in that a subject in e, may execute objects in e 


Subject in 4, may execute objects in Ag or A, but not 
in 4,5 or A,. Tnis corresponds with tne access rignts 
of the Supervisor access class in tnat a subdject in e, may 
execute objects in 29 OF ey DuUtewnot in e, Oo C3 ° 
Finally, examining Ay? one observes that a subject in A 
may only execute obdjects in Ags: This corresponds with the 
access rignts of tne Kernel access class in that a subject 


in ey may Only execute objects in Ey ° Therefore, the 
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Beets cs Rime Mechanism is sufficient to support tnis policy 
with respect to execute access relations. 

SOmMOmMewmay sOUSemMe that for each of the access nodes 
(read, modify and execute), tne Multics Ring Mechanism is 
Meemrcientieaeto entorce the policy. dIherefore, for this 
assignment, no violations are possible, thus proving that 
@eeeemultics Ringe Mechanism is sufficient to Support tnis 


Program Inteerity policy. 


B. OTHER RING MECHANISMS 

The Multics Ring Mechanism is by no means tne only form 
of Ringe Mechanism. By altering the requirements of the Rine 
Brackets and tne need for a Gate Keeper, one can contemplate 
adapting the fringe mechanisms to meet other Simple 
hierarchical policies. 

Consider using the asSiegnment Shown in fieure 17, but 
altering tne means of aiscrimination among objects such tnat 
the Ringe Bracket iS a Singleton (R1). Following the rules 
Shown in figure 24, one can adapt this ring mechanism to 


enforce the basic National Security policy. 


Modity 


,;RERNEL Ril} MAX 
Ovserve 


Fieure 24. Security Rines. 


co 





Pilar y, flecure co STOWwS the rules necessary for the 
same assignment aS sSNnown in figure 22 to adapt tnis ring 


mechanism to meet tne basic National Integrity policy. 


Observe 
tK ERNEL R1y MAX 
Modify 


Mice eo. INtTecTity Rings. 


To be sure, tnese brief suggestions do not completely 
Smaracterize a practical protection mecnanism. However, it 
appears tnat ring mechanisms are adjdaptadle Lor tne 


enforcement of various Simple hierarchical policies. 


C. CAPABILITY MECHANISMS 

Considerable effort iS currently underway to provide 
"Provably Secure Operating Systen tased upon the capability 
mechanism (30,51]. It iS important to examine what form of 
Ieee ctlon Capabilities actually provide. 

Capability mechanisms primarily establisn two dominance 
momains tnat are @enforced by this system nardware mecnanisn. 
Miemdondin consists of capabilities, and the other is 
meemererse that are not Capabilities sucn as segments and 
directories. A process takes no note of tnese dominance 
domains, Nowever, because all processes have access to 
Capabilities as well as other types of objects. So with 
mespect tO a process, the Capability mechanism provides no 


inherent partitioning of tne system entities at all. I[n 
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meee in uryine to devermine tne structure of dominance 
memains for non=—capability objects, one encounters a 
veritable ‘Spaghetti bowl of domains, devoid of any 
innerent, unifying structure. Thus a capabllity mechanism is 
Mmmmieroelt not Sufficient for the enforcement of any 
non-discreti onary security De Lrey.. Enforcement of 
non-discretionary security policies (i.e., those ot primary 
interest to National Defense) must be accomplished by some 
Otner add-on mechanism. 

This is not to sey that a capability mechanism is not 
useful. For example, the mechanism can protect a security 
kernel in mucn tne same way as rings protect tne sxernel in 
the Multics design. 

Goemuse:ulness of the assignment technique in validating 
the suitability of a protection mechanism to enforce a 
security policy has been examined in this section. fhe 


validity of tne assignment tecnonique has been estabisned. 


Ct 





Tnis researcn 
non-discretionary 


metnodology for 


mechanism to enforce a non-discretionary security policy. 


security, 


assessing 


Ns RO ONC Uo. ON 
nas explored tne PoundetLOnS OL 


discovering an eftective 


tne sufficiency of a protection 


By 


fornalizing the notion of a domain [6,7], and using a formal 


notion of non-discretionary security 


{[3], the inseparable 


nature of protection necnanisms and security policies nas 
been eStabdlished. This section considers some future 
meerections Lor Reseameu sand “Summarizes tne principle 
findings of the autnor. 
A. FUTURE DIRECTIONS 

Although this author’s investigation has provided some 


Structure tO the 


researcn is still 


protection mecnanisms 


is not elear< 
Syochronization and 
dinensions to tne 


limitations regarding 

Additionally, one 
policy specifications 
otner 


pOoliCcLles than 


complex nature ot security, 


considerable 


needed. Lae relations aly between 


and otner Operating syStemsS mechanisms 


Suen issues as SHS eke Biol vaso sll ban ver 


distributed processing may add new 


Tednugeewe Of wD rObechLon. Lundamental 


implementation details remain unknown. 


can consider tne formalization of 


in general. Can the enforcement of any 


Pb rGeroduuGr1es De eva luaved? Can all 
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eororceadDle policies be represented in some common form such 
as a lattice? 

Onenwor the most ditficult problems in actually enforcing 
any security policy iS the maintenance OT unique 
non-forgeable attritutes [6] associated witn tne subjects 
and objects. A mechanism for maintainine the uniqueness of 
tnese attributes may be called an “isolation mnecnanisn 
because it isolates tnoSe Subjects that may access these 
Sere putes from those that nay not. This does not prevent 
Sharing of objects but simply provices a means of isolating 
these attributes from general unprotected usage. Botn tne 
capability mecnanism [38,51] and the notion of a gate 
(necnanisn) [8,28] appear to be isolation mecnanisms. A 
conprenensive study of tnis problem is beyond the scope of 
this discussion. However, a few observations concerning 
isolation noted during this research are provided. 

ieee westundementel principles upon which an isolation 
mechanism must rely is the notion ot 2 segment (i.e., an 
meommemunit Of information storage for which tne access 
class is identified) and the tranquillity principle (i.e., 
miemenollon that the access class for a Ssubjéct or an object 
does not Change during the course of computations) [17]. I? 
muescestWO principiés are not enforced, it is not clear now 
one may evaluate the enforcement of any non-discretionary 


Becurity policy. 
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LUcmurandiulatity orinciple does not Strictly apply to 
mm@ecesses. In Multics, for example, processes had several 
momains of Execution. However, since a suoject is defined as 
a process~domain pair, one mignt at first Suspect tnat a 
process executing in multiple domains does not present a 
Bomemrrty problem. Tnis is not always tne case, particularly 
Roemeeeaedling with policies that attempt to limit the 
morormation flow [13]. 

When attempting to enforce tne National Security Policy 
RimeomnultLi-~user, Muiti-process environment, where 4a process 
executes in a sequential fashion (i.e., the process is 
serializable) one can do no better tnan to allow @ process 
to proceed to its “nigh water nark” and then terminate at 
that level. Any attempt to revert to a less sensitive access 
class will result ina potential compromise. For exampls, 
consider the compromise technique shown in figure 26. 

In this example, a malicious agent utilizes the feature 
of Sequential processes and the baSic PV synchronization 
mechanism [33] to take tne “Info in Dominance Domain 2 and 
Sepyemrt into Dominance Domain 1. In order to do so, the 
agent calls procedures placed in tne ‘High’ domain by 
Subversion [3], relying only upon one process (i.e., PROCESS 
9 or PROCESS 1) to return, thus providing the information in 
binary form to tne Low domain. Tnus by serialization and 
process syncnronization alone, tne MSO at Von Or the 


dominance domains has been compromised. 
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Dominance ,, 
Domain 1 ( Low ) 


Initial States: 





2 
Oo 
m4 
e 


6 X x ees 
It ]o- 
Pointer] @dagl 


Execution: 


G2 
Oo 
: 


Dominafece 


Donat 2 Conten ) 


PROCESS ("Syncnronizer  ) 


9 

GotIt := 1; 

Pointer := Pointer + 
Bie!) ; 

GotIt := @;3 

V(3)5 

V(4)3 

GO TO Li; 


o 
—~ 


ils 


1; 


PROCESS @ ( Get a Zero ) 


L2: CALL ZeroProc 
IF GotIt = @, THEN 
Copy(Pointer) := 
V(1)3 
V(2);3 
P(3)5 
GO TO L2; 


B5 


Says 


PROCESS 1 ("Get a One ) 


moemonus OneProc 
IF GotIt = @, 


THEN Copy( Pointer) := 1; 


V(1)3 
V(2)3 
P(4); 
GoetO 13; 


Final State: 


Figure 26. 


5 


Into [191 ... 


pET OPE OC 
IF Info(Pointer) = ¢, 
THEN RETURN; 
eco tlie on 
THEN GO TO S13 
RETORN. 


OneProc 
IF Into(Pointer) = 1, 
THEN RETURN; 
IF GotIit = ee 
THENTGO efOr S25 
RETURN. 


Serialization Problem. 


Sot 





Oot were te NE Drocesses tO act independently in 
each dominance domain (i.e., processes are serializable only 
Mebooeere spect tO @ £iven dominance domain or syncnronization 
between two processes iS not possible) tnis compromise could 
not Occur In general, BCLS example snows tnat 
Seemenronization or processes, serialization of processes and 
Secure Computations are fundanéenteally related in sone 


fashion. The exact nature of this relationship is not clear. 


Pome COULTS 

The assignment tecnnique nas been snown to be a useful 
method for validating tne sufficiency of a protection 
fecmami sm to enforce non-discretionary security policies. 
This method provides considerable insight into tne nature of 
@ecess control. One may observe that non-discretionary 
security is dependent only upon tne dominance domains 
establisned by tne systens necnanisms ani tneir associated 
permissible access relations. The nature ofr tn® conputation 
momon NO concern. 

mepeenOnwgadiscretionary security policy for which tne 
access classes and access relations can be enumerated, can 
Pomeeomeorced in d theoretical sense. Actual implementatioc, 
nowever, is dependent upon the systems’ isolation mecnanisn. 
Mommpmourcy Can be enforced, in a practical sense, uniess tne 


system can naintain unique non-forgeable attributes. 
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Protection mecnanisms innerentily mirror tne policies 
that they enforce. Non-discretionary Security policies form 
murotrtice Of access classes that Mey be mapped to 4n 
isomorphic image of dominance aomains, innerently 
established by the protection mecnanism. Since tnis nas peen 
Shown, one need not illustrate separate lattices for both 
pomency and mechanism. One unified description ror both the 
lattice policy and its image established by tne protection 
mechanism is Sut ne 1e nit HOor general systems deSsien 
considerations. 

One nay also consider approaching tne assignment 
technique from the mechanism point of view. The question 
tnen becones, Given some general Protection Mecnanism, wnat 
morgeor DOlicies will it Support? An absolute answer to 
this question is, in general, not avaiiable. However, one 
Gimemake an €valuation for those policies that are of 
Sinnenw, Interest. Thus, tne assignment tecnnique gives one a 
mocum in which to consider the usefulness of protecticn 
Heemamiesms LOr specific policies of interest. 

"Uniform protection mecnanisms, i.e., those mechanisms 
forning lattice structures of dominance domains wnere tne 
access relations between any two antisymmetric dominance 
domains are identical, may be represented by linear access 
graphs in the same manner as a policy. Wnen the linear 
access eraph tor the policy is similar to the linear access 


grapn for tne meChanism, one can see that for a carefully 
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chosen aSSignment scheme, tne protection mechanism will 
earorce the security policy. | 

One may consider tne development cf a taxoncemy of 
Mmomrorm protection mé€cnanisms teased upon tne nature of tne 
access control tnat eacn enforces. Sucn a taxonomy is peyond 
Pee Scope of this discussion, however, the linear access 
metoms, iilustrated througnout this text may be neipful in 
initiating sucn an effort. 

ime orovectlon provided by tne Multics Ring Mechanism 
appears to be precisely tne issue tnat Wulf, Jones and the 
otner designers of tne HYDRA system were attempting to 
understani [18]. They introduce their discussion by first 


Saying : 
"Protection is, in our view, a mechanism. [18] 


Their discussion tnen proceeds to make tne following 


general statement relative to tne Multics rings: 


“Our rejection of nierarcnical system 
Structures and eSpecially ones which employ a 
Shoe tewogreradrcoicdl pelation for ail aspects of 
system interaction, is ans 0", in Dar t., a 
consequence of the distinction between protection 
PMieESechrity.e '-@ tatinre tO. distinguish these 
issues coupled with a SUrlct.s i rerarcnicdal 
Gructure leads inevitadly tO a Succession of 
increasingly privileged system components, and 
ultimately to a most privileged one, which gain 
their privilege exclusively by virtue of their 
Host hon ine the Mierparchy., Suen structures are 


inherently wrong ... [18] 
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Had the asSignment tecnnique been available to the 
Aautnors of tne above statement, tney would nave  0been 
afforded a means of expressing their views more precisely 
than the ambiguous pnrase “innerently wrong. The assignment 
technique provides a precise means for clearly formulating 
sucn an opservation and evaluating its validity. As snown in 
section V, and in agreement with Wults” statement, the 
Multics Ring Mecnanism is “inherently wrong witn respect to 
compromise policies. On the other hand, the Multics Rine 
Mecnanism is “just rignt” as a means of enforcing a program 
integrity policy or assisting in the enforcement of the 
systems hierarchical as well aS non-hierarchical security 
policies (viz., via Security Kernels). 

Additionally, in the Same report [12] the authors make 
poe, following obdse€rvation with respect to tneir overall 
design methodology : 

“Anong the major causes of our inability to 
experiment with, and adapt, existing operating 
Systems is their failure to properly separate 
mechanisms from policy. [18] 

The assignment technique has shown, however, that 
meetnce SECUrity policies and protection mecnanisns tnat 
enforce tnese policies are inextricablely related. 


Recognizing this inseparability should provide considerable 


insignt into current efforts in tnis area. 
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Overall, assignment rese@arcn nas provided a matnematical 
methodology for unifying the discussion of security related 
issues. One may now properly refer to an access mode as a 
realization of an access fright, a dominance domain as a 
realization of an access ciass and @ protection mecnanism as 


a realization of a security policy. 
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